Recent Posts

About

Bruce came to personal finance writing the old fashioned way: he didn't have much money, but wanted to do cool things. Clearly, some creativity was in order. From traveling around Europe to paying for a wedding, moving to New York to raising a child, he's figured out how to have fun without spending much money. In the process, he's also learned a few things about how politics and economics can help (or hurt) middle class finances. As DailyFinance's senior features writer, Bruce gets to combine his two favorite things: learning how the world works and explaining what he's learned to his readers.

Another day, another big information security breach. This time, it's LinkedIn and eHarmony, but it seems like only yesterday that Sony, Zappos, Nintendo, AT&T, Global Payments, and even the Department of Defense were scrambling to deal with huge numbers of stolen passwords and compromised accounts.

All things being equal, one thing is increasingly clear: If you buy, sell, congregate or communicate through a computer, you'll probably have your account hacked at least once in your lifetime. And if you haven't already faced the momentary fear and loss, the sense of disassociation and confusion that accompany a data breach, you're lucky -- and probably overdue.

(Admittedly, there are some people for whom this isn't an issue. If you change your passwords weekly, always choose random selections of numbers, letters and symbols, and scrupulously refuse to use the same password more than once, chances are much higher that you'll manage to avoid having your accounts hacked. Then again, if you're constantly generating, memorizing and changing passwords, chances are that you're already dealing with a fair bit of terror.)

Related Articles

For the rest of us, the question is not if -- or even when -- we are going to be hacked. It's how we're going to deal with the aftermath. The first thing to do is not delay. As The Los Angeles Times' Salvador Rodriguez noted when LinkedIn was hacked, the Twitterverse was flooded with e-mails giggling about the site's general lack of utility. One user commented "If my LinkedIn profile was updated or signed in to in any way in the last four years, then yes, it was hacked," while another piped up with, "Gee, I sure hope nobody got my LinkedIn password! If your friend request gets accepted, you'll know I was hacked."

It's time to change your password to protect yourself and your LinkedIn connections. First simply go to LinkedIn.com and follow our four steps.

If you are on a mobile phone visit LinkedIn.com instead the app. LinkedIn will re-route you to its mobile site, but when you scroll all the way down to the bottom of the page you will see a “full site” link. Once you gain access to the desktop platform you are able to go through the first four steps.

While the Twitterers fiddled and LinkedIn burned, a bigger problem may have been developing. Many people use the same password on multiple sites, which means that, for a significant fraction of those 6 million to 8 million LinkedIn users, both their e-mail addresses and their common passwords were in the wrong hands.

Fixing the Problem

And therein lies the first key to dealing with a compromised account: Don't waste time. If you find out that one of your accounts may have been hacked, move quickly to isolate the problem. The first step is to check the malware and antivirus software on your computer.

Make sure that your protection is up to date, and run the programs to ensure that your computer is clean. This is vital, as many viruses will continue to send your data back to the person who hacked your account. Jon Chase, on AOL's Switched, lays out the step-by-step process of dealing with a hacked e-mail account, but the most important lesson is that you need to be proactive.

Regardless of whether your e-mail account has been hacked or you just suspect that your personal information might be vulnerable, the key is to keep the breach from spreading. Once you're sure that your computer is clean, change passwords, activate security questions, and generally do everything you can to limit your vulnerability. If you have any concerns about your accounts, notify administrators and anyone else who may be affected.

When criminals hack a Facebook account, they typically use one of several available "brute force" tools, says Grayson Milbourne, Webroot's manager of threat research for North America. These tools cycle through a common password dictionary, and try commonly used names and dates, targeting hundreds of thousands of different email IDs. Once hacked, an account can be used as a platform to deliver spam, or -- more commonly -- sold. Clandestine hacker forums are crawling with ads offering Facebook account IDs and passwords in exchange for money. In the cyber world, information is a valuable thing.

Commandeering occurs when a criminal logs on to someone else's account using an illegally obtained ID and password. Once online, they have the victim's entire friend list at their disposal and a trusted cyber-identity. The impostor can then run a variety of confidence schemes, such as the popular "London scam," in which the "friend" claims to be stranded overseas and in need of money to make it home. The London scam has a far higher success rate on Facebook -- and specifically on commandeered accounts -- because there is a baseline of trust between users and those on their friends lists.

Profile cloning is the act of using unprotected images and information to create a Facebook account with the same name and details of an existing user. The cloner then sends friend requests to all of the victim's contacts, who will likely accept them, as they appear to be from someone they know. Those accepted friend requests give the con artist access to his new "friends'" personal information, which can be used to clone other profiles or to commit fraud.

As Grayson Milbourne puts it, "Exploiting a person's account and posturing as that person is just another clever mechanism to use to extract information." Perhaps what's scariest about this kind of crime is its simplicity. Hacking acumen is unnecessary to clone a profile; the criminal simply needs a Facebook account.

Phishing on Facebook usually involves a hacker posing as a familiar individual or respectable organization, and asking for a user's personal data, usually via a wall post or direct message.

Often, users will be directed to click on a link. Once they do so, their computer may be infected with malware, or they may be directed to a website that offers a compelling reason to divulge sensitive information.

A classic example would be a site that congratulates its victims for having won $1,000 and prompts them to fill out a form to collect their prize -- a form that requests credit card, bank account or Social Security numbers, which can then be used by the fraudsters.

Also becoming increasing common, warns Milbourne: "spearphishing," a practice that uses the same basic idea but targets users through their individual interests.

In this common con, the scammers direct users via some sort of clickable enticement to a convincing, but spurious, Facebook log-in page. When the victims enter their usernames and passwords, they are collected in a database, to be used by the original scammer or resold to other criminals.

Once scammers have a user's login information, they can take advantage of the identity through apps like Facebook Marketplace. Posing as a reputable user lets the scammer capitalize on the trust that his victim has earned to sell fake goods and services, or promote brands they have been paid to advertise.

In affinity fraud, con artists assume the identities of people in order to exploit the trust of those close to them to steal money or information. Facebook facilitates this type of fraud because people on the social network often end up having a number of "friends" they actually do not know personally and yet implicitly trust.

Criminals can infiltrate a person's group of friends and then offer someone deals or investments that are part of a con. They can also assume an identity by hacking into a person's account and asking their friends to wire them money, or give them sensitive information like a Social Security or credit card number.

Few sites provide an easier source of basic personal information than Facebook. While it is possible to keep all personal information on Facebook private, users frequently reveal their email addresses, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information often finds its way into passwords or answers to "secret" security questions. While the majority of unprotected information is mined for targeted advertising, it can be a used for more pernicious ends such as profile cloning and, ultimately, identity theft.

Most mass email advertisements are legal, if annoying. However, the growth of social networking has allowed for a new kind of spam called clickjacking. Clickjacking uses an advertisement for a viral video or article as an inducement to click on a link. Once clicked, the link sends the user to a page that tricks them into taking actions that they don't realize they are doing, such as sending an advertisement to all their friends' walls, buying an item via a concealed page, or revealing personal data. This has become such an issue for Facebook that earlier this year, the company teamed up with the U.S. Attorney General to try to combat the problem.

But even halting the spread of your breach won't do much to overcome your initial security problem. Chase suggests creating a minimum of three e-mail addresses -- one for business communication, one for dealing with your service provider, and one for registering on sites like LinkedIn. Another security option is using a password vault, like Clipperz or KeePass, which allow you to keep all your passwords in a single, highly protected place.

As long as people use the Internet to move money, goods and services, our data will continue to be a big, attractive target. And, while security tools are getting more sophisticated, so are the people seeking to subvert them. The key to your peace of mind will be setting up structures that will make it easier for you to survive the inevitable attack.

Bruce Watson is a senior features writer for DailyFinance. You can reach him by e-mail at bruce.watson@teamaol.com, or follow him on Twitter at@bruce1971.

Building Credit from Scratch

Economics 101

Add a Comment

5 Comments

Filter by:

Notasstupid Asyouthi

This has happened to me where someone had posted a bunch of crap on my account, The F.B.I and Justice department Cybor div. are now working on this. It has happened to much and I think that these sites all social sites should have a system set up where those that have or are making impostor accounts, should be band for life and that the Government should deny they any use of computers for LIFE>>>> I have been hack by a ring of hackers who are now in court in California, BUT they have new people working with them and pertend to be your friends, while hacking your computer.... The ones to watch out for are the ones that say NO YOUR COMPUTER WASN'T HACKED... Because they are the ones doing it... I went through three months of HELL on my computer until the F.B.I. and Justice department stepped in. Now I'm looking for arrest in the next week or so of those that were the hackers. ABOUT TIME!..........They are using the IP addresses and the computers that these people have contact with.... SOMETIMES they are Ghost and steal your IP ADDRESS but there is a way that the Government can now see where the original IP address is coming from...

This has happened to me where someone had posted a bunch of crap on my account, The F.B.I and Justice department Cybor div. are now working on this. It has happened to much and I think that these sites all social sites should have a system set up where those that have or are making impostor accounts, should be band for life and that the Government should deny they any use of computers for LIFE>>>> I have been hack by a ring of hackers who are now in court in California, BUT they have new people working with them and pertend to be your friends, while hacking your computer.... The ones to watch out for are the ones that say NO YOUR COMPUTER WASN'T HACKED... Because they are the ones doing it... I went through three months of HELL on my computer until the F.B.I. and Justice department stepped in. Now I'm looking for arrest in the next week or so of those that were the hackers. ABOUT TIME!..........They are using the IP addresses and the computers that these people have contact with.... SOMETIMES they are Ghost and steal your IP ADDRESS but there is a way that the Government can now see where the original IP address is coming from...

This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed. And this is just another one of the millions of articles that talk about password strength and password managers. Strong passwords do not replace the need for other effective security control. People need to understand that neither the strength of your password or having it locked-up in Fort Knox will mean anything when it is stolen from the source! People need to be talking less about passwords and more about other steps that need to be implemented like some form of 2FA were you can telesign into your account and and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed.